Attacks on critical infrastructure are not slowing down—if anything, they’re accelerating, as evidenced by multiple government alerts and strategic moves around the globe this May.

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI and other federal partners, issued a joint advisory warning of a spike in unsophisticated but highly effective intrusions targeting industrial control systems (ICS) and SCADA environments. These attacks exploit misconfigured devices, exposed assets, and poor cyber hygiene, placing essential services—such as energy, oil, gas, and transportation—at risk of serious operational disruption or even physical damage. The advisory includes practical mitigation guidance for infrastructure operators and underscores the urgent need for baseline cyber hygiene in OT systems.

At the same time, international governments are taking structural steps to reduce dependency on global cyber coordination and accelerate local response:

• The European Union launched the European Vulnerability Database (EUVD), a regionally controlled platform to track and manage cybersecurity vulnerabilities. Mandated by the NIS2 directive, the EUVD reflects growing mistrust in U.S. and Chinese-led vulnerability disclosures and seeks to close response-time gaps left by systems like MITRE’s CVE.
• Japan enacted a sweeping Active Cyber Defense Law, authorizing preemptive cyber operations and real-time surveillance of foreign internet traffic traversing national infrastructure. The law mandates immediate breach reporting from critical infrastructure operators and empowers both police and military cyber units to disrupt adversarial operations before damage occurs. 

Here are the most significant critical infrastructure cyber incidents from May 2025.

Coordinated and Isolated Cyberattacks Disrupt UK Retail and Global Food Supply Chains

A wave of ransomware attacks has disrupted operations across the UK’s retail and grocery sectors, with the Scattered Spider group claiming responsibility for incidents at Marks & Spencer, Harrods, and Co-op. These attacks highlight a calculated use of social engineering and third-party compromise to penetrate enterprise environments and wreak havoc on national infrastructure.

Marks & Spencer reported over $400 million in projected losses, following the encryption of key systems and the theft of customer data including names, contact details, and partial payment information. The breach, traced to Tata Consulting Services, underscores persistent supply chain vulnerabilities. Meanwhile, Co-op suffered a simultaneous ransomware attack that shut down logistics systems, leaving stores in regions like the Scottish islands without resupply. 

While Scattered Spider has not claimed responsibility, Peter Green Chilled, a logistics provider serving major UK supermarkets, was also hit by a ransomware attack. The breach disrupted order processing though transport operations continued, marking another blow to the UK’s food distribution network. The timing suggests a broader surge in attacks on food logistics, even if this case is not directly linked to the wider campaign.

Adding to the concern, Arla Foods, one of the world’s largest dairy producers, reported a cyberattack at its German facility. The incident temporarily halted production, though other sites remained unaffected and operations are expected to be restored soon. No attacker has claimed responsibility yet.

Together, these incidents point to a deepening threat landscape in which retail, logistics, and food production systems are increasingly targeted, often simultaneously, by highly organized threat actors. The cascading disruptions emphasize the urgent need for strengthened supply chain security, improved incident response coordination, and investment in critical infrastructure defense.

Xage Critical Asset Protection can help mitigate and contain attacks like these by enforcing zero trust access controls across IT, OT, and cloud environments. Identity-based segmentation and tamper-proof access control prevent lateral movement by attackers, even if initial access is gained. In the event of a breach, Xage enables rapid isolation of compromised assets, minimizing operational disruption.

 

Cyberattacks Highlight Growing Threat to Energy Infrastructure

Energy providers continue to face a wave of sophisticated cyber threats that expose the fragility of both digital and physical systems powering critical infrastructure.

A cyberattack on Nova Scotia Power disrupted customer-facing systems, halting new service activations and limiting support—despite power generation remaining unaffected. The incident underscores how IT-layer vulnerabilities can have operational consequences, particularly in critical services.

More alarming still, investigations into U.S. solar infrastructure uncovered undocumented “kill switches” in Chinese-made power inverters—devices widely deployed in solar farms. These embedded cellular radios, which allow for remote communication, could be exploited to disrupt or disable portions of the national power grid. The discovery raises significant national security concerns, especially given the widespread integration of foreign-manufactured components in critical energy systems.

These incidents reflect a growing pattern: adversaries increasingly target the digital entry points and embedded technologies within energy infrastructure.

Xage can help prevent and contain these types of attacks on energy companies and electric utilities by enforcing zero trust access controls across both IT and OT systems, ensuring that only authorized users and processes can interact with critical infrastructure. The distributed, tamper-proof architecture blocks lateral movement, detects unauthorized behavior, and enables real-time isolation of compromised assets—keeping operations safe even if initial access is breached.

 

Patching Isn’t Enough: Why OT and Enterprise Systems Remain Exposed

Vulnerabilities in widely used enterprise and operational platforms are being actively exploited—often long after patches have been released. As attackers intensify their focus on operational technology (OT) environments, recent incidents highlight the urgent need for security strategies that go beyond patch management.

In May alone:

• Siemens and Schneider Electric issued patches for critical flaws in industrial systems, reflecting the growing attention threat actors are paying to OT assets.
• Arctic Wolf reported live exploitation of a vulnerability in Samsung MagicINFO 9 (CVE-2024-7399), a digital signage platform widely used in public-facing OT environments. Although the patch was released in 2024, exploitation spiked after a proof-of-concept was made public—illustrating the enduring threat from unpatched or poorly monitored devices.
• Atlassian addressed eight high-severity vulnerabilities across Jira, Confluence, and Bamboo—tools heavily relied on in both enterprise and government settings. Left unpatched, these flaws could allow unauthorized access and privilege escalation.

Unpatched vulnerabilities in widely deployed systems continue to pose persistent risks. In OT environments, where patching may occur only once or twice annually, critical assets are frequently left exposed for extended periods. Relying on patch cycles alone is not adequate, particularly in OT or integrated IT-OT networks.

Attackers are exploiting these gaps, leveraging delayed updates, legacy infrastructure, and weak change management to infiltrate and pivot laterally across systems.

Xage Critical Asset Protection addresses these challenges with a non-intrusive, layered approach that includes identity-based access control, dynamic segmentation, and virtual patching. It enforces granular, zero trust policies at the asset level, ensuring only authorized users and processes can interact with critical infrastructure. Segmentation blocks lateral movement, and virtual patching shields unpatched systems through policy enforcement—maintaining security even when traditional fixes aren’t feasible. This integrated defense ensures continuous protection across OT, data center, and cloud environments—without operational disruption.

 

North Korean Operatives Use AI to Infiltrate U.S. Companies—Marking a New Phase in Cyber Threat Evolution

Hundreds of North Korean IT operatives have successfully infiltrated Fortune 500 companies by posing as remote workers. What sets this campaign apart is how AI tools and deepfake technology were used operationally—not just tactically—to bypass hiring controls. Operatives used AI-generated responses to ace technical interviews and deepfake video and ID manipulation to circumvent identity verification procedures.

While the operation’s primary motive was financial gain, infiltrators can leverage their access for corporate espionage and ransomware, raising significant national security concerns.

This incident represents a new development in cyber threat methodology: adversaries are now using AI not only to scale attacks but to actively embed operatives inside organizations under false identities. It marks a shift from traditional phishing or malware deployment toward human-in-the-loop deception, powered by AI, with the potential for long-term, persistent access to sensitive systems.